HealthEquity blog

What is your plan for protecting member health and financial information?


Cyber-attacks have become the fastest-growing crime in the United States, and, according to Hiscox Insurance, in 2016 “cybercrime cost the global economy over $450 billion.” Unfortunately, that number is expected to rise to over $6 trillion by 2021. To do their part to combat this crime, individuals and companies must take preventative measures to protect their personal information.

Employers should also do everything they can to prevent scammers and fraudsters from obtaining their employees’ sensitive information, including from their health savings account (HSA). These accounts may contain private medical and financial data that scammers can use to steal identities or commit other illegal acts.

Criminal techniques

Criminals are sophisticated in carrying out their scams. Phishing — when someone poses as a legitimate source in order to get sensitive information — is a common problem and business leaders should know how to recognize and combat this scamming tactic.

Fraudsters often send emails seeking to trick the recipient into divulging Social Security numbers (SSNs), financial account numbers and personal identifying information. Employers should make sure they and their employees know how to recognize these scam emails.

Hackers are computer experts who find a way to creep into a company or person’s account and gather as much data as they can. Employers should work with trusted computer experts to ensure they are as safe as possible from hackers.

Tips to help you and your employees protect your HSAs

Some simple precautions can help you and your employees protect your personal information by detecting and rejecting phishing bait. Here are a few tips:

  • Create a unique and secure password: Passwords such as 123456 or password are not secure. It is also a good idea to inform your employees that the password they use for their HSAs should be exclusive and not used on other sites.
  • Don’t click on email links: If you or an employee receives an email with a link telling account holders to urgently sign into their HSA, don’t click the link. Account holders can confidently and securely log in to their account by typing in our URL,
  • Never reveal sensitive information: Fraudsters and phishers might send an email asking for passwords or other sensitive information (including SSNs or HSA account numbers). Do not reply to these emails.
  • Learn to identify ‘phishy’ details: The following are some common giveaways of a phishing email:
    • Subject line is ‘Urgent’ or ‘Immediate Action’
    • Sender name looks odd or unfamiliar
    • Email asks account holder to Confirm your identity. (Legitimate sites won’t ask account holders to verify information through an email.)
    • The email may be full of grammatical errors and misspellings
    • The email may contain vague information
  • Review HSA transaction history frequently
  • When in doubt, call HealthEquity: Account holders can reach us 24/7 at 866.346.5800


Taking reasonable and simple precautions can help combat the scams and fraud that threaten the personal information contained in the HSAs of employers and their employees.


Nothing in this communication is intended as legal, tax, financial or medical advice. Always consult a professional when making life changing decisions.

Topics: HSA, Employers, Security, Sensitive Data, HSA security, Cyber crime

Top 5 white paper.png

Free guide

Know what questions to ask when looking for an HSA provider.
Download now